Where Chicken Little meets information security
Outside of a movie theater, your plane won’t be hacked out of the sky.
In the famous fable, Chicken Little believed the world was coming to an end and told everyone “the sky is falling”. That ubiquitous phrase refers to any hysterical or mistaken belief that disaster is imminent. In technology, the Year 2000 problem was a well-known Chicken Little event, and when it comes to information security, Chicken Little has been flapping her wings recently.
There are now many Chicken Little’s who will have you believe that it isn’t the sky is that’s falling, rather that airplanes are in danger of falling from the sky due to information security vulnerabilities within their systems.
I’ve come across numerous articles recently that propose that there are problems and threats to aviation security. Of those articles, consider these:
· Cybersecurity Report Fears ‘Dismissive’ Approach in Aviation Industry News, a well-respected trade journal details cybersecurity threats to automatic dependent surveillance broadcast (ADS–B). This is a surveillance technology where an airplane determines its position via satellite navigation and periodically broadcasts it, enabling it to be tracked.
· In How can airlines stop hackers pwning planes over the air? And don’t say ‘regular patches’, IT security journalist John Leyden writes that some commercial aircraft are vulnerable to wireless hacking according to a US Department of Homeland Security official.
· Finally in Boeing 757 Testing Shows Airplanes Vulnerable to Hacking, Calvin Biesecker in Avionics writes more about the Boeing 757 vulnerabilities.
So, can these airplanes really be hacked out of the sky? Should you consider Greyhound buses rather than United airplanes?
As an aside, Bruce Schneier observed that if something is on the news, then you don’t have to worry about it. Case in point, hundreds of people are killed annually in Chicago due to gang and drug, and the media is quite silent. For the first time in history last week, a ground agent stole a plane, and there are countless stories about airport security gaps. Those stories need to be ignored, as there is no threat, and there are no airport security gaps.
My friend Jayson Agagnier is an aviation security specialist, and spends a good part of his week inside of airplanes and cockpits dealing with avionic systems — both primary and secondary. He has designed aircraft security architectures, performed certification testing and contributed to numerous ARINC and RTCA technical standards and guidance material documents related to aviation systems and security. When Jayson speak about aviation security, I listen.
The last time quoted him was in My great Breitling search, a tongue in cheek look at how expensive Breitling aviation watches, which real pilots hardly ever wear, make non-aviators feel like real pilots.
The topic here is obviously not lighthearted, but rather of life and death. As to the notion of hacking airplane systems that are critical to the safety of flight, Agagnier believes that such a notion is preposterous. His expertise shows that hacking airplanes is more of a movie-plot threat, than a real-world risk.
To that an initial point, Agagnier makes is clear that many people don’t understand the nuances of the aviation world, and the distinction between safety and security. He notes that it’s a mistake to think that the words safety and security can be used interchangeably. Both words have distinct meanings when it comes to aviation. Let’s define some terms:
· Aviation safety encompasses the theory, investigation, and categorization of failures that could result in harm to an individual, and the prevention of such failures through regulation, design, education, and training.
· Aviation security refers to the techniques and methods used to protect passengers, staff and planes which use the airports from accidental/malicious harm, crime and other threats.
· Computer security is the protection of data, networks and computing power.
In short, safety pertains to functions and actions, security pertains to physical controls.
Modern aircraft are designed and built to be safe. Security is a commercial matter that is of no consideration in the safety world. A commercial consideration has no bearing on the safety consideration and the design philosophy applied is that a person will not be harmed due to a security failure. However, a safety failure can result in harm and death.
In addition, aircraft systems and software are designed according the standard DO-178C — Software Considerations in Airborne Systems and Equipment certification. DO-178C is used by the FAA and others for commercial software-based aerospace systems. The standard has DAL (design assurance levels) which ranges from DAL-A to DAL-E.
Each DAL has a specific requirement regarding redundancy, mitigating controls, programming function by isolation and other factors. Avionics and flight control systems are assigned DAL-A which means there must be multiple controls in place that will result in a failure level of 10–9/per hour of flight. This means there is no single point of failure in the avionics systems and any hack of the avionics would require multiple simultaneous inputs for many different systems interfaces.
This is a situation that quite simply is not possible on all aircraft flying today — both legacy and modern. All flight critical systems have multiple interfaces to the avionics network and the other systems to which they communicate with. At a minimum the flight control network will be comprised of at least two network channels and some aircraft will that three or four network channels.
Such an approach for a workstation would require it to have a minimum of two ethernet NICs, each with its own fully functional controller, before the operating system applications will even perform their intended functions.
On older aircraft (everything prior to the Airbus A380 and A350, Boeing B787, Bombardier CSeries, Mitsubishi Regional Jet & Embraer E-Jet E2) the network is a point-to point network often referred to as ARINC 429 or just A429. This network type is not a bidirectional network and requires that any system wishing to communicate with another system has a specific input and output for communications between them (referred to as A429-in and A429-out interfaces).
Think of this as if the Ethernet TX and RX operated independently of each other and in some cases a system may have only a TX and the receiving system will have only and RX. If a particular system needs to talk with four other systems, then that system will have four A429-out interfaces, one for each of the other systems being communicated with. Those four systems will have an input to receive signals from the originating system.
Each input is assigned for a particular system and function, further limiting the function of the network traffic, and the A429 labels (think packet header) indicate the system coming from and destined to. So, to take control of a flight control system, one needs to physically access the flight control LRU in the avionics bay. Technically, one could access the wiring harnesses, but this would require the removal of wall paneling, inserting a breakout box into the wiring harness. Outside of a Hollywood movie, these are not practically possible during flight, in addition to them requiring quite a bit of time to complete (unlike that Hollywood movie).
Let’s just say for the sake of argument that someone did manage to gain access to a system on the aircraft, such as the in-flight entertainment (IFE) system, and then tried to use the IFE to control the airplane. As to the A429 in/out labels mentioned earlier — the flight control system does not have an input from the IFE. But let’s say it did (for whatever dumb reason) the flight control system is not designed to accept control commands (labels) from the IFE A429 input. If the flight control system were to receive a flight control command on the IFE A429 input, the label would just be ignored and dropped, since the IFE is not supposed to be sending flight control commands.
Another thing that needs to be considered is that certain systems are multi-channel systems. This means that a command must be received simultaneously on all input interfaces within the prescribed timeframe. If not, the command is ignored. So, for our hacking scenario, a hacker would need to take control of multiple systems over multiple interfaces and issue malicious commands on these multiple networks simultaneously. This type of unauthorized control is not possible in the practical world.
As to the 757 issues mentioned in part 1, it’s important to note that the 757 is not a fly-by-wire (FBW) airplane. A FBW system replaces conventional manual flight controls with an electronic interface. To that, there is no computer control systems to hack on a 757. The only wireless interface to any of the cockpit systems on a 757 is ACARS (aircraft communications addressing and reporting system) which can use a variety of frequencies in HF, VHF and UHF bands. ACARS inputs need to be actioned by the cockpit crew, no command sent via ACARS will ever result in an automated action being taken by the avionics. The design simply does not permit such an action to occur.
While it is true that there may be modern computer equipment such as IFE systems installed on older aircraft that could possibility be hacked. Any hack will not result in any degradation of safety-of-flight. The system hack will merely be poor optics for the naïve and ignorant and is of no concern for safety-of-flight.
If an airplane were to be hacked, then it would need to be a modern digital aircraft such as the Airbus A380, A350, Boeing 787, Bombardier C Series, etc., and not some decades old airplane. While the 757 is safe, just how hackable are the new generation of digital aircraft?
The primary distinguishing features between legacy aircraft and digital aircraft network is the move from the slow and heavy (due to the number of wires) A429 network the newer high speed ARINC 664P7 (also called AFDX) network. In addition, system update for legacy aircraft required the removal of a type of computer known as a line-replaceable unit (LRU), and retiring to the factory to be upgraded. Digital aircraft can have their LRUs upgraded on wing either via a special maintenance laptop or via an on-board data loader.
The avionics full-duplex switched Ethernet (AFDX) is the communications network for modern avionic and controls systems. While Ethernet is not a secure protocol, it’s important to note that ADFX is not it’s insecure cousin IEEE 802.3 Ethernet. While there is a common data bus, each system connected to the database is a signed a particular VL (virtual link), which is like the VLAN concept. But, there are some subtle, but significant differences, too numerous for this series.
The VL is the AFDX equivalent of the multiple A429 inputs/outputs. Two systems need to have a VL in place in order to communicate with each other. In addition, the only-in and only-out concept applies to VLs. The concept of packet timing is also applied to AFDX, so packets received out of sequence or out of time are discarded. The AFDX network is also a closed network; meaning there are no interfaces between the passenger cabin and the AFDX network. There are systems that may be connected to both network, but again on the AFDX network the VL and label concept applies.
If hacker were to gain access to a system, say the IFE that had an AFDX interface; the hacker would need to make the IFE appear as though it were another system, and send commands impersonating another system. This could be done in theory, but would require reprogramming the IFE. In addition, the IFE not being a flight critical system will to have the redundant interfaces that are necessary for control flight systems.
These new generation airplanes can be updated automatically, sometimes even via a wireless connection. Some take this to mean that all a hacker has to do is upload malicious software. While technically true, this is not possible from a practical application. On-wing updates of LRUs is performed using loadable software airplane parts (LSAP).
Data loading of LSAP are secured using PKI. The manufacturer holds the private key and the LRU on the aircraft has the associated public key. In order to install malicious software on an aircraft LRU, not only would a hacker need physical access to the aircraft network, they would need to have the private key for the LSAP and its associated electronic distribution of software (EDS) by crate.
To achieve this, the attacker would then need to have access to the aircraft network while the aircraft was on the ground. LRUs cannot be updated while in flight, and the updates need to be performed using either a special computer that is assigned to each aircraft, or via the ODL (on-board data loader). It should be noted that these are only accessible via a cockpit screen or in the avionic bay located in the belly of the aircraft. While access to these locations are easy in action-thrillers like Die Hard or Air Force One, it does not work like that in the real world.
The aviation industry has taken a very serious approach to cyber security and its impact on safety. To that end, there are many aviation specific documents that detail formal security protocols and processes to ensure the safety of the planes we fly. Just as security is constantly changing, these documents are under constant review and updated as necessary.
There are countless movies involving airplanes. From Snakes on a Plane, Turbulence, to Flightplan and more. But it’s important to know that what happens in a Hollywood screenplay does not play out in the real world.
This article originally appeared on CSO.